Perform additional checks in PEHeaders.

src/libraries/System.Reflection.Metadata/src/System/Reflection/PortableExecutable/PEHeaders.cs

@@ -93,13 +93,26 @@ public PEHeaders(Stream peStream, int size, bool isLoadedImage)
             _coffHeaderStartOffset = reader.Offset;
             _coffHeader = new CoffHeader(ref reader);
 
-            if (!isCoffOnly)
+            if (isCoffOnly)
+            {
+                // These characteristics bits are documented in https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image
+                // that should be set only on image files.
+                const Characteristics ImageOnlyCharacteristics = Characteristics.RelocsStripped | Characteristics.ExecutableImage;
+                // Because COFF files do not have a magic number, perform some additional checks to catch outright invalid files.
+                if (_coffHeader.SizeOfOptionalHeader != 0
+                    || _coffHeader.PointerToSymbolTable >= actualSize
+                    || (_coffHeader.Characteristics & ImageOnlyCharacteristics) != 0)
+                {
+                    throw new BadImageFormatException(SR.UnknownFileFormat);
+                }
+            }
+            else
             {
                 _peHeaderStartOffset = reader.Offset;
                 _peHeader = new PEHeader(ref reader);
             }
 
-            _sectionHeaders = ReadSectionHeaders(ref reader);
+            _sectionHeaders = ReadSectionHeaders(ref reader, actualSize, isCoffOnly);
 
             if (!isCoffOnly)
             {
@@ -289,10 +302,10 @@ private static void SkipDosHeader(ref PEBinaryReader reader, out bool isCOFFOnly
             }
         }
 
-        private ImmutableArray<SectionHeader> ReadSectionHeaders(ref PEBinaryReader reader)
+        private ImmutableArray<SectionHeader> ReadSectionHeaders(ref PEBinaryReader reader, int size, bool isCoffOnly)
         {
             int numberOfSections = _coffHeader.NumberOfSections;
-            if (numberOfSections < 0)
+            if (numberOfSections < 0 || numberOfSections * SectionHeader.Size > size - reader.Offset)
             {
                 throw new BadImageFormatException(SR.InvalidNumberOfSections);
             }
@@ -301,7 +314,12 @@ private ImmutableArray<SectionHeader> ReadSectionHeaders(ref PEBinaryReader read
 
             for (int i = 0; i < numberOfSections; i++)
             {
-                builder.Add(new SectionHeader(ref reader));
+                var sectionHeader = new SectionHeader(ref reader);
+                if (isCoffOnly && sectionHeader.VirtualSize != 0)
+                {
+                    throw new BadImageFormatException(SR.UnknownFileFormat);
+                }
+                builder.Add(sectionHeader);
             }
 
             return builder.MoveToImmutable();

src/libraries/System.Reflection.Metadata/tests/PortableExecutable/PEHeadersTests.cs

@@ -50,6 +50,13 @@ public void Ctor_Streams()
             Assert.Equal(0, s.Position);
         }
 
+        [Fact]
+        public void Ctor_InvalidFile()
+        {
+            using var stream = new MemoryStream(Misc.KeyPair);
+            Assert.Throws<BadImageFormatException>(() => new PEHeaders(stream));
+        }
+
         [Fact]
         public void FromEmptyStream()
         {

src/libraries/System.Reflection.Metadata/tests/PortableExecutable/PEReaderTests.cs

@@ -869,15 +869,5 @@ public unsafe void InvokeCtorWithIsLoadedImageAndPrefetchMetadataOptions2()
                 }
             }
         }
-
-        [Fact]
-        public void HasMetadataShouldReturnFalseWhenPrefetchingMetadataOfImageWithoutMetadata()
-        {
-            using (var fileStream = new MemoryStream(Misc.KeyPair))
-            using (var peReader = new PEReader(fileStream, PEStreamOptions.PrefetchMetadata | PEStreamOptions.LeaveOpen))
-            {
-                Assert.False(peReader.HasMetadata);
-            }
-        }
     }
 }